ASV Scans: What they are, when you need them, and how they work

ASV scans are external vulnerability scans required for PCI DSS compliance. If your company has internet-facing systems connected to payment processing, even if you use embedded iframes or hosted redirects to your payment processor, you need quarterly scans. Traditional ASV tools bury results in 1,000+ page PDFs. Evervault ASV Scans replaces this with a clean dashboard, unlimited rescans, and structured data that makes the entire process faster and more user-friendly.

What are ASV Scans?

ASV scans are external vulnerability assessments performed to a specific standard set by the PCI Security Standards Council (PCI SSC). These scans help ensure that systems that handle or affect cardholder data meet PCI DSS Requirement 11.3.2.

An ASV scan checks your external, internet-facing systems for known vulnerabilities that attackers could exploit. The scan looks for security weaknesses in your infrastructure that could expose payment data.

Unlike internal security assessments, ASV scans must be conducted by vendors accredited by the PCI SSC (Approved Scanning Vendors, or ASVs). This accreditation ensures the scans meet the rigorous standards required for PCI compliance.

Who needs ASV Scans?

If your company has externally facing systems that could impact cardholder data security, you will generally need ASV scans. This requirement applies to:

• Merchants who store, process, or transmit payment data themselves
• Service providers handling payment card data
• Companies with servers that redirect customers to third-party payment processors
• Businesses hosting embedded payment pages or iframes from third-party processors

A common misconception is that fully outsourcing payment processing exempts you from ASV scanning requirements. Even if you use Stripe or another provider with embedded iframes or payment redirects, you still need ASV scans.

When do you need to run ASV Scans?

ASV scans must be performed:

1. Quarterly: At minimum, once every 90 days. It's important to note that "quarterly" means four scans evenly distributed throughout the year. According to PCI SSC guidance, scans must occur in four separate calendar quarters (Q1, Q2, Q3, Q4). Some organizations have tried to game this requirement by running a scan on day 90 of one quarter and another scan the very next day for the following quarter. While this technically provides a scan in each quarter, it clearly misses the intent of continuous security monitoring throughout the year.
2. After significant changes: Any time you make material changes to your internet-facing systems, such as:

• Deploying new servers
• Updating web applications
• Modifying network configurations
• Changes to payment page infrastructure

While quarterly scans are the minimum for compliance, many organizations run scans more frequently as part of their ongoing security maintenance. More frequent scanning helps you catch vulnerabilities early, before they can be exploited. You must also be able to show a clean scan for each quarter, so waiting until the last minute to scan and achieve a passing result is an unnecessarily risky approach.

What does an ASV Scan check?

ASV scans examine all external, internet-facing components within your PCI DSS scope. The scanning process is comprehensive, looking for vulnerabilities across multiple layers of your infrastructure. Here's what the scan identifies:

Vulnerabilities

The scan checks for:

• Outdated or unpatched operating systems, web servers, or applications
• Known CVEs (Common Vulnerabilities and Exposures)
• Weak or default passwords

Insecure Services and Ports

ASV scans identify:

• Open or unnecessary ports that could provide attack vectors
• Insecure services like Telnet or FTP
• Remote access services exposed to the internet without proper security controls

SSL/TLS Configuration Issues

The scan examines your encryption setup for:

• Weak ciphers that could be cracked
• Expired certificates
• Use of deprecated protocols like SSL v2/v3 or TLS 1.0/1.1
• Certificate mismatches that could indicate configuration problems

Misconfigurations

Security misconfigurations the scan detects include:

• Missing security patches
• Poor system configurations, such as directory listings enabled or verbose error messages that leak system information

Potential Exploits

The scan flags anything an attacker could use to compromise cardholder data. Any vulnerability with a CVSS score of 4.0 or higher will cause an automatic PCI failure. You must remediate these issues and rescan before you can pass compliance.

It's worth noting that ASV scans do not consider vulnerabilities purely related to Denial of Service (DoS) as PCI DSS failures. While DoS vulnerabilities may still appear in your scan results, they won't prevent you from achieving a passing scan for compliance purposes.

The problem with traditional ASV scanning tools

Most ASV scanning solutions have a fundamental user experience problem. After your scan completes, you receive a PDF report that can be hundreds or even thousands of pages long. These reports dump all scan data across a set of documents with minimal structure or filtering.

When a scan fails, you need to:

1. Download and open massive PDFs
2. Scroll through pages of technical data
3. Try to identify which vulnerabilities caused the failure
4. Figure out the context and severity of each issue
5. Research how to fix each vulnerability
6. Track which issues you've addressed

This process is time-consuming and error-prone. Traditional tools also scatter information across multiple tabs and interfaces, making it difficult to get a clear picture of your security posture. The user interfaces are often dated and clunky, adding unnecessary complexity to what should be a straightforward compliance task.

How Evervault ASV Scans work

Evervault ASV Scans replaces the PDF-heavy workflow with a modern, dashboard-based experience. The entire process happens in your browser, using structured data rather than unstructured documents.

Setting up your scan

You start by selecting your target IP addresses or hostnames in the Evervault dashboard. You can scan:

• A single IP address
• An IP address range
• A domain

The scan takes a few hours to complete. Evervault offers native Slack integrations and webhooks, so you can receive notifications about scan progress without constantly checking the dashboard.

Creating your IP address target to setup a scan

Reviewing scan results

When your scan completes, you immediately see whether you passed or failed. If the scan failed, the vulnerabilities that caused the failure are surfaced at the top of your results.

Instead of searching through a PDF, you see your vulnerabilities as structured, filterable data in the dashboard. You can click into any vulnerability to see:

• Why it caused a failure
• The full context of the security issue
• Specific recommendations for how to fix it

This approach makes remediation significantly faster. You can identify problems, understand their impact, and implement fixes without switching between tools or digging through documentation.

If you believe a flagged vulnerability is not valid for your environment or a false positive, you can request an exception directly through the dashboard. Exception requests typically receive a response within 1-2 working days. You can apply exceptions to the current scan and all future scans, streamlining your compliance workflow.

You can re-run scans an unlimited number of times until you pass, at no additional cost.

Here's an example of the detailed view of a vulnerability identified by an ASV Scan

Submitting results

Once you pass your scan, your Attestation and Executive Summary reports are available for download on demand. These reports include everything Qualified Security Assessors (QSAs) need to attest to your compliance with PCI DSS 4.0 requirement 11.3.2.

Example of passing scan result page and on-demand PCI ready reports

Why Evervault ASV Scans are different

Evervault ASV Scans brings several improvements to the ASV scanning process:

Faster remediation: Vulnerabilities appear as structured dashboard data, not buried in lengthy PDFs. You can filter, sort, and drill down into issues in seconds.

User-friendly interface: Set up scans, track progress, and request exceptions in just a few clicks. The modern UI reduces the friction of compliance work.

Full context in one place: Traditional tools scatter data across tabs and documents. Evervault brings all the information you need to a single dashboard, making scans quick to review and easy to act on.

Unlimited rescans: Run as many scans as needed until you pass, with no extra charges. This removes the pressure of trying to fix everything perfectly on the first attempt.

Standalone and modular: You can purchase ASV Scans on its own, without committing to a full compliance suite. Pay only for what you need.

Evervault: Your complete PCI compliance solution

Evervault is the only vendor on the market that provides all the tools and guidance you need to reduce your PCI scope and achieve compliance-ready status.

Our platform includes:

UI Components: Secure, fully customizable iframes that collect and encrypt card data, ensuring sensitive information never touches your infrastructure.

Relay: A secure proxy that allows you to pass card data to downstream partners without increasing your compliance scope.

Page Protection: A browser script security management tool that protects your payment pages from script attacks and helps you comply with PCI DSS 4.0 requirements 6.4.3 and 11.6.1.

ASV Scans: External vulnerability scanning that helps you spot security issues before they're exploited and stay compliant with PCI DSS 4.0 requirement 11.3.2.

Beyond these tools, Evervault provides complete policy packs with guidance on internal actions you need to take based on your specific PCI control set. This includes policies for patching, managing user controls, and incident response planning. We also provide draft attestations you can customize for your company.

Our in-house (ex) PCI Qualified Security Assessor (QSA) is available to support you in preparing for your PCI compliance attestation. Instead of working with multiple vendors and stitching together a compliance program, you can manage everything through Evervault.

Frequently Asked Questions

How long does an ASV scan take?

Most ASV scans take between 1-4 hours to complete, depending on the number of IP addresses being scanned and the complexity of your infrastructure.

What happens if my scan fails?

If your scan fails, you'll see the specific vulnerabilities that caused the failure in your dashboard. You can then remediate these issues and re-run the scan as many times as needed until you pass—at no additional cost with Evervault.

Can I scan the same IPs multiple times in one quarter?

Yes. In fact, it's recommended to scan frequently, especially after making changes to your infrastructure. You need at least one passing scan per quarter for compliance, but running more frequent scans helps you catch issues early.

Do I need ASV scans if I use Stripe or another payment processor?

Yes. Even if you redirect to a third-party processor or use embedded iframes, you still need ASV scans for any internet-facing systems that could impact cardholder data security. This includes the servers hosting your payment pages.

What's the difference between an ASV scan and a penetration test?

ASV scans are automated external vulnerability scans that check for known security issues. Penetration tests are manual assessments where security professionals actively attempt to exploit vulnerabilities. Both may be required for PCI compliance, but they serve different purposes.

Get started with Evervault ASV Scans

ASV scanning is a critical compliance requirement, but it doesn't have to be painful. Evervault ASV Scans makes the process faster and more straightforward by replacing PDF reports with a clean, structured dashboard experience.

If you need to meet PCI DSS requirement 11.3.2, you can start running scans today. Learn more about Evervault ASV Scans.

If you're new to Evervault and want to explore our complete PCI compliance platform, get in touch with our team to learn how we can help you reduce your PCI scope and streamline your compliance.